Prerequisites
Please ensure the following requirements are met
- FortiGate with FortOS v7.2.8 Special Build 9127 and newer that incorporates the Securosys PKCS#11 Provider (v2.2.4 and newer)
- Securosys Hardware Security Module, with PKCS#11 API enabled:
- CloudHSM partition (HSM as a Service) or
- Primus HSM, firmware v2.8.21 or newer. Contact sales
HSM Setup and Configuration
- Cloud
- On-premises
Securosys CloudHSM allows almost instant HSM operation by selecting and contracting the different services and options for your FortiGate.
- Getting started with CloudHSM.
- Contact sales.
The HSM must be initialized, and a specific user (partition) must be set up.
Verify that
- the PKCS#11 API is licensed and enabled, and the PKCS#11 password is defined
- a fresh valid user setup password is retrieved for client onboarding
- the Security Policy is restricted (disable Import/Export/Extract)
For general on-premises Primus HSM hardware, High-Availibility Cluster setup and operation in FIPS or Common Criteria certified modes, refer to the corresponding Primus HSM User Guide for details.
Enable PKCS#11 API
The API must be enabled on device and user level.
- Device user interface
- Console interface
- XML configuration File
- Setup Configuration Security Device Security Crypto Policy PKCS#11: enabled
- Setup Configuration Security User Security (user name) PKCS#11: enabled
hsm_sec_set_config pkcs11=true
hsm_user_set_config pkcs11=true
...
<pkcs_process>
<active>enabled</active>
...
</pkcs_process>
...
<crypto_process>
...
<crypto_user state="enabled"> <!-- enabled=user config, disabled=device config -->
<user_name>PART001</user_name> <!-- partition name -->
<pkcs_allowed>enabled</pkcs_allowed> <!-- enable PKCS#11, interface on partition -->
</crypto_user>
...
Set PKCS#11 Password
Assuming that user level configuration is used.
- Device user interface
- Console interface
- XML configuration File
- Setup Configuration Security User Security (user name) PKCS#11 password
hsm_user_set_config pkcs11_pwd
...
<crypto_process>
...
<crypto_user state="enabled"> <!-- enabled=user config, disabled=device config -->
<user_name>PART001</user_name> <!-- partition name -->
<pkcs_password>PRIMUSDEV</pkcs_password> <!-- set partition pwd for PKCS#11 -->
...
</crypto_user>
...
Retrieve a New Setup Password
To generate a new setup password for the specific partition
- Device user interface
- Console interface
- Roles User New Setup Pw
hsm_user_new_setup_pass
Disable Wrapped Key Export, Key Extract, and Key Import
- Device user interface
- Console interface
- XML configuration File
- Setup Configuration Security User Security (user name) Key export: disabled
- Setup Configuration Security User Security (user name) Key extract: disabled
- Setup Configuration Security User Security (user name) Key import: disabled
hsm_user_set_config key_export=false
hsm_user_set_config key_extract=false
hsm_user_set_config key_import=false
...
</pkcs_process>
<crypto_user state="enabled"> <!-- enabled=user config, disabled=device config -->
<user_name>PART001</user_name> <!-- partition name -->
...
<import_keys>disabled</import_keys> <!-- disable key import on user -->
<export_keys>disabled</export_keys> <!-- disable key export on user -->
<extract_keys>disabled</extract_keys> <!-- disable wrapped key export on user -->
...
</crypto_user>
...